Whatever happened to the concept of receiving a legal-order, having your lawyers scrutinize it and complying afterwards? None of these high-stakes data handoffs coordinated over insecure email.
It’s about fraudulent data requests using hacked email accounts from government bodies all around the world. What emails are you referring to that should be made public?
I’m not arguing against your point, it just appears completely irrelevant to the article under discussion, so I asked for clarification instead of just assuming you didn’t read the article.
According to Meta Whatsapp is E2EE and Data requests by government agencies can only reveal metadata like recipients, durations of calls, frequency of messages, but not content of messages.
"Hey Timmy I noticed you talk to Susan 5 times a day sometimes for 5 minutes and sometimes for 2 hours. Always right after you say goodnight to us. Sometimes I see you call her late at night from outside her house for 10 seconds when you were supposed to be in your room and then you don't use your phone again for a couple hours -- No no, im not invading your privacy, it's only metadata"
The basis of using a service is that you entrust them with the care of your necessity. That they make it unable by policy not to look at the contents of your mail is a nice feature, but nor necessary, as we firstly rely on the good faith we put on the service provdider. To go ahead and request that the security measures be extended to data necessary to route communications, is of a pathological paranoic nature.
The mailman needs to know the address.
Mailmen who don't require your address to deliver may appear as competitors, but they will always be a shady second choice, because mailmen need to know your address.
I believe the internet should be treated like the mail, but until the government actually steps in and takes ownership of it, they have no business having access to the metadata necessary to route packets, let alone the logs of those routings, and certainly not any additional Metadata that is not part of the routing function
Meta data is often as valuable or even more valuable than the data itself.
Because you might be talking to the mob boss about the weather. But the fact that you are talking to the mob boss is an extremely interesting data point. It pins you to the map in a way that you are immediately a POI and causes a file to be opened on you and your other contacts to further map your place in the network. Who talks to who is very powerful information.
Ok if these social media giants are authenticating LEOs by origin email only, without benefit of GPG, or secure token, or whatever, then they are stuck on stupid, and deserve any hacking they get. Ouch.
Email actually has very well thought out authentication mechanisms such that its not unreasonable to expect a domain is not spoofed, and it came from the server it says it came from
but if some baddies have logged into your server and sending messages as you, then DKIM can't save you
so say social media companies want a higher standard of proof that emails are coming from a particular institution, what mechanisms are available that doesn't involve onboarding every individual officer to the subtleties of public key crpyotgraphy?
Isn’t it though? You can attack email systems, network operators, and end users in a myriad of ways remotely from anywhere in the world. How can you compromise a traditional fax? Eavesdropping the PSTN itself? Physical access to one of the machines? Stealing the printed document?
Network fax systems are more convenient to use than traditional, but still more secure than email because they’ve been designed to be so.
Where’s the attack surface to exploit this analog and unencrypted data? A government can order their telecoms (and they do), but the same happens with emails providers. Neither is secure from government intrusion, but email is easier to compromise than traditional fax systems because their exposure is so limited.
How's that absurd? If you have 0 experienced security folks on staff/consulting, and no one willing to listen to them, then a fax is almost certainly more secure in practice.
One of those countries is the US.
Fax is unencrypted analog. If practice, tgis is ver certainly not secure.
It's only "more secure" in the sense that unauthorized access to it counts as wiretapping, whereas the feds carved a loophole allowing them to read private emails without going afoul our anti-wiretapping laws.
That you don't see the absurdity means our educational system is also doing what feds built it to do.
> It's only "more secure" in the sense that unauthorized access to it counts as wiretapping, whereas the feds carved a loophole allowing them to read private emails without going afoul our anti-wiretapping laws.
How is that different from techbros trying to claim a loophole for their illegal business, because it's on the internet/through an app/'is a gig job'/on a blockchain?
When legislature hasn't kept up with technology, the only way to fight that behaviour is through lawsuits. Lawsuits have made some headway in dealing with both private, and government malfeasance, here.
I don't think most law enforcement agencies have any second factor to authenticate themselves online. And it's not the social media companies that suffer but their users whose privacy is being violated.
To many normal people the "from" field in an email means that it came from there.
I am wondering how they get the data back though, unless they demand it is faxed, or sent to another email address. (Or the person replying doesn't notice the different reply-to address.)
Interestingly, gmail trusts the from field, so if I send a message “from” you to your account, it will put it in your sent folder.
Urban legend says people have been fired after forged harassment emails were delivered this way.
Google claims this is a feature, and the sent “label” isn’t meant to mean that it came from your gmail account.
For instance, there could be a corporate service firehosing spam at coworkers on your behalf, and obviously you don’t want to notice that, so it puts it in the sent box.
I thought gmail enforces SPF for gmail emails. I'd try it myself, but I don't want the few machines I have with port 25 unblocked to get a worse spam rating.
Generally email systems will have rules that support things like “if this account gets any mail from this address at Facebook.com, move it to some obscure folder and forward it to badguy@gmail.com” which is sometimes how this plays out.
